Reported two very minor XSS (Cross Site Scripting) bugs were discovered and reported, and both were fixed within next few hours. These were quite interesting and little different then usual, that’s why I would like to share these findings. Below are my reports to the Vimeo and XMarks for my discoveries today.
My Report to Vimeo:
A cross site scripting vulnerability was discovered when I tried to connected my Dropbox Folder with Vimeo.
Please follow the steps to reproduce:
1: Login to vimeo Account
2: Navigate to My Settings / Apps
3: Connect Dropbox
4: Click the checkbox “Auto-upload from: ” and a pop-up window will open to select the folder
5: Create new folder with a payload as name.
Payload: “><img src=x onerror=alert(1)>
And pop-up will appear as attached image.
My Report to XMarks: